edit-icon download-icon

[Vulnerability notice] CCleaner with backdoor program installed

Last Updated: Apr 02, 2018

On September 18, 2017, Piriform announced that the CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 on 32-bit Windows operating systems were modified and inserted with malicious code. This was another serious attack event targeting the software supply chain in the recent one month after the Xshell backdoor incident happened.

The entire malicious code embezzles the digital signature of CCleaner, so this download activity does not trigger any alerts and users are unaware of this activity. Moreover, hackers can also steal privacy information on user computers.

See the following for more information about the vulnerability.


CCleaner is a system cleaning tool developed by Piriform. Recently, Piriform was acquired by Avast, a security product vendor. CCleaner is used to clean unwanted files in the Windows operating systems to reserve more disk spaces. It can also clear temporary Internet files.

Security risk

After a user installs the infected software on the computer, hackers can obtain the privacy information from the computer, including the system name, MAC address, system version, installed software, and process information. The obtained information is then transferred to the console server, causing a high level of risk.

Affected scope

The CCleaner client has a wide range of users, and the vulnerability has a great impact. The affected versions include:

  • CCleaner version 5.33.6162
  • CCleaner Cloud version 1.07.3191

Security solution

  • If the CCleaner has been installed on your computer, we recommend that you uninstall it and configure a security group policy to prohibit the communication with the console address.

  • The users who use the PC edition are advised to upgrade the software to the latest version as soon as possible.

Indicators of Compromise (IoCs)

File Hashes

  • 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
  • 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
  • 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

DGA domains

  • ab6d54340c1a.com
  • aba9a949bc1d.com
  • ab2da3d400c20.com
  • ab3520430c23.com
  • ab1c403220c27.com
  • ab1abad1d0c2a.com
  • ab8cee60c2d.com
  • ab1145b758c30.com
  • ab890e964c34.com
  • ab3d685a0c37.com
  • ab70a139cc3a.com

IP addresses

  • 216.126.225.148

Reference

[1]. http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
[2]. http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

Thank you! We've received your feedback.